States Coordinate Cyber Response

Tuesday, May 31, 2011 @ 05:05 PM gHale

Security experts have talked about bringing government and industry together for a long time, but to no avail. But now some New England states are coordinating IT professionals from both areas to work in ways to minimize any kind of disruption, planned or unplanned, to critical systems.

Rhode Island, Massachusetts and New Hampshire are coordinating plans for responding to interruptions in services due to cyber attacks or natural disasters that disrupt computer systems.

Government IT departments in the region have traditionally done a good job of maintaining, securing and restoring their cyber-infrastructure, said Adam Wehrenberg, project director of the New England Regional Catastrophic Preparedness Initiative. But there was a coordination gap between IT and emergency management. “As our world increasingly hinges on technology, we have to shift thinking so that we begin to view cyber-disruptions as potentially significant events, rather than just inconveniences,” Wehrenberg said. “Cyber-disruption may not result in a simple email outage, but may be the cause (or effect) of a much greater emergency.”

In 2008, when stakeholders in the region converged to plan for catastrophic events, cyber-security was a high priority event because of the prominence of medical, higher education and financial institutions. “We think the basics under emergency management are hurricanes and snowstorms or floods, which are critical,” said Ed Johnson, deputy director of the Rhode Island Emergency Management Agency. “But there’s a whole other nexus out there that’s a concern, probably even a greater concern, of the cyber piece.”

In 2009, Rhode Island officials met with representatives from hospitals, financial institutions, colleges, universities, the military, cable and communications industries, and utilities to identify who the stakeholders were and who could contribute resources to a cyber-disruption response team (CDT).

The plan describes an implementation of Emergency Support Function (ESF) 2 under the National Response Framework. The response team will likely consist of eight to 12 members, organized under the Rhode Island State Police, who will be responsible for restoring critical IT systems.

The plan is nearly complete, according to Theresa Murray, a regional catastrophic planner with the Rhode Island Emergency Management Agency. The state has yet to establish standard operating procedures for the team, but Murray said it would likely deploy following any significant disruption that affects critical infrastructure and impacts operations, whether it’s a cyber-attack, widespread virus or hurricane that knocks down power and telephone lines across the state.

“The key is to get the state back up and running,” Murray said. “When the local communities are unable to do it on their own, the private companies need some extra hands; that’s when they [the CDT] kick in.”

About one-third of Rhode Island hospitals lost access to their computer systems in 2010 due to an update to a virus definition file that flagged a harmless Windows file as a virus. As a result of the outage, staff lost access to their computers for about eight hours. The issue prompted Rhode Island Hospital personnel to divert some emergency room visitors to other hospitals and postpone some elective surgeries. Patient care continued uninterrupted using backup procedures, a spokeswoman said. Murray cited the incident as an example of an instance when the state CDT would come into play.

In 2010, the Boston urban area earned nearly $1 million from a Regional Catastrophic Preparedness Grant to coordinate planning between the three states. The states developed a Regional Cyber Disruption Plan Annex to their Regional Catastrophic Coordination Plan. They began by organizing a Cyber Working Group of IT and emergency management professionals from the three states as well as the Providence and Boston Urban Areas Security Initiative (UASI) regions.

The workgroup identified critical cyber-assets within the region using a scoring and filtering mechanism based on Homeland Security Directive 7, Wehrenberg said.

Cyber-disruption teams are also in Massachusetts and New Hampshire as well as the Providence and Boston UASI regions. The teams will have personnel from IT, emergency management, public safety and service providers who can advise an incident commander about restoring or maintaining critical infrastructure under ESF-2. “The CDT is intended at the regional level to be able to coordinate resources to respond to an incident of catastrophic proportions,” Wehrenberg said. “However, like other ICS structures, the CDTs are scalable so that they can be utilized in an incident of any size.”

While the teams and planning may not be at identical stages in each state, he said, they have laid the groundwork.

Officials hope to expand the planning collaboration to the other states. Officials from the Rhode Island Emergency Management Agency, along with Rhode Island and New Hampshire National Guard representatives, presented to generals from the six New England states, New York and New Jersey about the development of the cyber-disruption coordination teams and how they could integrate into the National Guard.

Another part of the cyber-disruption planning includes increased outreach to businesses and local governments to encourage them to back up and secure their data, make sure their security software is up-to-date and implement continuity of operation plans. Murray is reaching out to partner with larger businesses — including banks, local hospitals and universities — to enlist their help in spreading the cyber-security preparedness message.

The state is also working on establishing a facility where small businesses and community members can learn about cyber-security. The facility would also be where members of the state’s CDT would be trained, a function currently performed at a state police facility in Scituate, R.I.